IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 00-056

"SubSeven DEFCON8 2.1 Backdoor" Trojan
October 17, 2000

A new variant of the SubSeven Trojan Horse has been discovered in the wild. This malicious computer code could constitute a new threat of distributed denial of service (DDoS) attacks. DDoS attacks were responsible for serious disruptions of several major e-commerce web sites in February 2000. The NIPC and industry partners believe that this new variant may be used to conduct further DDoS attacks which may be more difficult to detect.

Internet Security Systems Inc. (ISS) indicates that the new variant of SubSeven, named DEFCON8 2.1, has been distributed on Usenet news groups with an executable filename of "SexxxyMovie.mpeg.exe." ISS believes that individuals are using this Trojan to test new distributed denial of service methods. More information can be obtained from the ISS web site at http://xforce.iss.net/alerts/advise65.php

The NIPC has independently determined that this variant of SubSeven works on Windows 95, Windows 98 and Windows ME. Previously released variants of SubSeven have allowed remote attackers to obtain all cached information including, for example, passwords, play audio files, access a webcam, and capture screenshots. Upon execution of the "SexxxyMovie.mpeg.exe," a copy of the executable is renamed using a random name/number scheme and placed in the c:\windows directory. After the Trojan copies itself, an entry is placed within the registry and system.ini to start the Trojan process with every boot of Windows. Subsequently the Trojan deletes itself, thus leaving only the newly created Trojan filename within Windows. This variant of SubSeven joins an IRC (Internet Relay Chat) channel on irc.icq.com to notify intruders via IRC or ICQ when new computers are infected. This variant of SubSeven listens on port 16959 or the default port 27374.

The NIPC and others are currently in the process of analyzing the Trojan's code to identify its purpose.

ISS provided a copy of the binary code to the NIPC for further distribution to CERT/CC and the greater anti-virus community. The anti-virus software industry has been notified of the new variant and will test the new variant against their existing SubSeven Dat files which they believe will pick up this malicious code. Full descriptions and removal instructions of a number of variants can be found at various anti-virus software firms web sites, including the following:

http://www.symantec.com
http://www.nai.com (McAfee)
http://www.antivirus.com (Trend Micro)
http://www.fsecure.com
http://www.sophos.com

As always, users are advised to keep their anti-virus software current by checking their vendors' web sites frequently for new updates, and to stay apprised of alerts from NIPC, CERT/CC, and other cognizant organizations.

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm.